More than 90 billion passwords are being used across the web today, and it’s expected to be nearer 300 billion by 2020. With that in mind, the topics of password best practices and the threats around stolen credentials, remain top challenges for many global organizations.

Security Boulevard recently hosted a webinar with Shape and cyber security expert Justin Richer, co-author of the new NIST (National Institute of Standards and Technology) Digital Identity Guidelines. The webinar looks at how password protection and password attack prevention have evolved.

Key Takeaways

Traditional P@$$wOrd Guidelines Don’t Solve the Problem

Justin Richer discusses how passwords were originally invented as a way to gain entry. But today they have evolved into a way to authenticate who you are. Companies rely on a username-password combination to give them confidence you are who you say you are. So once passwords are stolen, companies have less and less confidence you are the person you claim to be.

To make it difficult for criminals to steal your identity companies have implemented complex password requirements. Unfortunately, this conventional wisdom around password management, such as enforced rotation every six months, using at least six characters, upper and lowercase characters, numbers and symbols, have made passwords hard to remember.

Additionally, for non-English languages, not all these rules can be applied regarding uppercase and lowercase. They also don’t always adapt to the world of mobile devices where it’s hard to type using touch screens, and the emerging technology of voice recognition personal assistants.

In the end, users reuse passwords that are easy to remember and pick bad passwords due to password fatigue. As a result, traditional password guidelines don’t help companies gain confidence—they are actually compounding the problem.

The Real Culprit – Password Reuse

In reality the problem companies are fighting is password reuse. Once one account has been compromised, the attackers have access to multiple accounts that use the same username and password. Fraudsters may use these accounts themselves, but often they bundle up the stolen credentials and sell the passwords on the dark web.

New NIST guidelines serve to help companies reduce password fatigue and reuse, while also providing suggestions for testing new passwords against a database of stolen credentials—a breach corpus. When the two are implemented together, fraudsters will have a much harder time taking advantage of stolen credentials through account takeover and automated fraud.

New Passwords and Using Blacklists

Revision 3 of the NIST password guidelines overview – Digital identity guidelines – has dramatically updated recommendations on how to use passwords properly:

Don’t rely on passwords alone. Use multi-factor authentication steps to verify the user is who they claim to be.

Drop the complexity requirements, they make passwords hard to remember and aren’t as effective as once thought.

Allow all different types of characters.

End the upper limit on size. Length can be an important key to avoid theft.

Rotate when something seems suspect. Don’t rotate because of an arbitrary timeout, like every six months.

Disallow common passwords.

Check new passwords against a blacklist of stolen passwords

The most important step is to check new passwords against a blacklist. These cover a range of passwords, including those known to have been already compromised, and those used in any major presentation. Checking against a blacklist is new territory—a lot of organizations don’t even know where to start.

Creating a Blacklist

An ideal blacklist should have all stolen passwords—not just the ones discovered on the dark web. Unfortunately creating a list of all stolen passwords is difficult. Recently companies have been relying on lists of stolen credentials from the dark web, but these are often too little, too late as it’s not possible to know how long these stolen passwords have been in circulation. For example, Yahoo was breached in 2013, but didn’t realize until 2016. Due to the economics of attackers, there is almost always a big lag between when data is breached and when it’s exploited.

Blackfish and the Breach Corpus

At Shape we created Blackfish to proactively invalidate user and employee credentials as soon as they are compromised from a data breach. It notifies organizations in near real-time, even before the breach is reported or discovered. How does it do this?

Blackfish technology is built upon the Shape Security global customer network which includes many of the largest companies in the industries most targeted by cybercriminals including banking, retail, airlines, hotels and government agencies. By protecting the highest profile target companies, the Blackfish network sees attacks using stolen credentials first, and is able to invalidate the credentials early in the fraud kill chain. This provides a breakthrough solution in solving the zero-day vulnerability gap between the time a breach occurs and its discovery.

Using machine learning, as soon as a credential is identified as compromised on one site, Blackfish instantly and autonomously protects all other customers in its collective defense network. As a result, Blackfish is the most comprehensive blacklist in the industry today.

Don’t Rely on Dark Web Research

Dark web research provides too little information, too late. Today major online organizations can take a much more proactive approach to credential stuffing. By using Blackfish businesses can immediately defend themselves from attack while reducing the operational risk to the organization. Over time these stolen credentials become less valuable to attackers because they just don’t work, and in turn credential stuffing attacks and fraud are reduced.

Example

Installation and usage

Unminify is a node.js module and is available on npm. It can be installed globally with npm install -g unminifyand then executed as unminify file.js, or executed without installation as npmx unminify file.js. It is also suitable for use as a library. For more, see the readme.

Unminify supports several levels of transformation, depending on how carefully the original semantics of the program need to be tracked. Some transformations can alter some or all behavior of the program under some circumstances; these are disabled by default.

Background

JavaScript differs from most programming languages in that it has no portable compiled form: the language which humans write is the same as the language which browsers download and execute.

In modern JavaScript development, however, there is still usually at least one compilation step. Experienced JavaScript developers are probably familiar with tools like UglifyJS, which are designed to transform JavaScript source files to minimize the amount of space they take while retaining their functionality, allowing humans to write code they can read without sending extraneous information like comments and whitespace to browsers. In addition, UglifyJS transforms the underlying structure (the abstract syntax tree, or AST) of the source code: for example, it rewrites if (a) { b(); c(); } to the equivalent a&&(b(),c()) anywhere such a construct occurs in the source. Code which has been processed by such tools is generally signicantly less readable; however, this is not necessarily a goal of UglifyJS and similar minifiers.

In other cases, the explicit goal is to obfuscate code (i.e., to render it difficult for humans and/or machines to analyze). In practice, most tools for this are not significantly more advanced than UglifyJS. Such tools generally operate by transforming the source code in one or more passes, each time applying a specific technique intended to obscure the program’s behavior. A careful human can effectively undo these by hand, given time propotional to the size of the program.

State of the art

There are well established tools like Prettier for formatting JavaScript source by the addition of whitespace and other non-semantic syntax which improves readability. These undo half of what a tool like UglifyJS does, but because they are intended for use by developers on their own code rather than for analysis of code produced elsewhere, they do not transform the underyling structure. Running Prettier on the above example gives

Unminify

Unminify is our contribution to this space. It can undo most of the transformations applied by UglifyJS and by simple obfuscation tools. On our example above, given the right options it will fully restore the original program except for the name of the local variable input, which is not recoverable:

Unminify is built on top of our open source Shift family of tools for the analysis and transformation of JavaScript.

Operation

The basic operation of Unminify consists of parsing the code to an AST, applying a series of transformations to that AST iteratively until no further changes are possible, and then generating JavaScript source from the final AST. These transformations are merely functions which consume a Shift AST and produce a Shift AST.
This processes is handled well by the Shift family, which makes it simple to write and, crucially, reason about analysis and transformation passes on JavaScript source. There is very little magic under the hood.

Unminify has support for adding additional transformation passes to its pipeline. These can be passed with the --additional-transform transform.js flag, where transform.js is a file exporting a transformation function. If you develop a transformation which is generally useful, we encourage you to contribute it!

Like this:

It seems everyone today is talking about stolen passwords, but this is an older problem than people realize. Protecting your enterprise from credential stuffing attacks and account takeover as a result of stolen credentials is at the heart of the discussion—and as more business moves online it’s an increasingly expensive problem.

The Stolen Password

During the final phase of the Peloponnesian War, 1 a series of tactical errors led to the defeat of the superior Athenian forces. Among the many errors was an inadequate identification system, reliant on a shared watchword. At the final and crucial battle of Syracuse, the besieged Syracusan army discovered the Athenian watchword that was used for identifying allies. Quietly disseminating this password between them, the Syracusan forces created havoc during a nighttime battle, preventing the dazed Athenian forces from identifying ally from foe and ultimately leading to their devastation.2

Step forward a few thousand years to the 1960s, when limited computing resources at MIT resulted in the Compatible Time-Sharing System. Given the limited power of computers at the time, a short phrase was the simplest way to identify users on the platform. But, the first password breach soon followed when in 1962 Allan Sherr, looking for a way to increase his allotted time on the platform, managed to request a printout of the entire password file.3

Since then, the history of the password remains consistently problematic. Passwords are complicated, easily forgotten, and usually represent a single point of failure. Wake up to find your password compromised and the results, although not quite as devastating as for the Athenians, can often be financially or socially shattering. In efforts to make passwords themselves more secure, increasingly arbitrary rules on their construction have been enforced. Unfortunately, these rules often force users to adopt practices that directly contradict the intent, driving users to adopt the same password across websites,456 or preventing the use of tools like password managers.

Meanwhile, despite growing awareness of multi-factor authentication systems, statistics around adoption rates are difficult to find and are widely thought to be worryingly low.

Introducing NIST

NIST (or the National Institute of Standards and Technology) is a non-regulatory United States Government Agency with a mission to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”7 Within this mandate, NIST has established the NIST Cybersecurity Framework. The original intent was to develop a voluntary framework to help organizations manage cybersecurity risk across critical infrastructure, but the framework has been adopted much more widely throughout the world. Of particular interest is the four-volume Special Publication 800-63 on Digital Identity Guidelines which is available on the NIST Website and NIST GitHub. It includes:

Offer the option to display the password, rather than dots or asterisks.

Out:

Don’t enforce composition rules (no more: your password should include upper and lower case characters, and at least one number). These encourage passwords with the illusion of complexity, like Passw0rd, which any dictionary attack will take into account.

Don’t use password hints, as users tend to populate these hints with enough information to make guessing the password trivial. Instead, focus on supporting easily memorized passwords and phrases.

Don’t use Knowledge Based Authentication (e.g. what was the name of your childhood pet?).

Don’t use SMS as a 2-Factor Authentication method.

Updated Password Storage Guidance

NIST also includes guidance on encryption and storage of user passwords. As we’ve seen from previous breaches, weak and reversible encryption lets attackers access vast sets of credentials that can easily be used against other sites8. To limit the effect of breaches on other sites, NIST recommends that:

Passwords should be salted and hashed using a suitable one-way key derivation function.

Use approved key derivation function PBKDF2 using SHA-1, SHA-2, or SHA-3 with at least 10,000 iterations.

Breach Corpuses

The appendix of 800-63b lays out some hard truths about the choices we make as users:

Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.

Maintaining a list of compromised credentials from previous breaches is a noble effort, but there are a number of factors to balance. For example, Facebook attracted criticism when it announced in 2016 that it had been purchasing credentials from the dark web9 in order to secure its own users. Such purchases could effectively help power the market, funding and encouraging further breaches and supporting the black market credential ecosystem. Plus, the huge window of time that exists between a data breach and the eventual emergence of the stolen credentials means that traditional breach corpus lists are often ineffective – and that’s something Shape Security is addressing with Blackfish. Shape co-founder Sumit Agarwal explains it best:

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Of course, once you’ve found a way to compile it, a vast list of the freshest credentials is itself a major target, so to minimize risk (as well as ensure absolute compliance with regulations such as GDPR), Shape does not store any direct username/password pairs but instead leverages a probabilistic data structure called a Bloom filter.

Conclusion

As Jim Fenton, one of the publication contributors, points out, “If it’s not user friendly, users cheat.”10 Frustrating password policies have been long overdue for an overhaul and the new NIST Digital Identity Guidelines rightly place the burden upon the verifier, not the user. While verifiers of users should ensure they’re following the guidelines to give users the best chance of securing their accounts, they should also take additional steps to ensure that security breaches originating from outside their own organization are stopped before they create more damage closer to home. In light of the recent FTC ruling on credential stuffing, it might be more than just best practices that encourage verifiers to comply.

In the era of Amazon and mainstream e-commerce, every online retailer has to deliver a compelling user experience across their web and mobile channels while protecting customers from cyberattacks and fraud. Recently, Shape collaborated with R-CISC to share attack data and analysis of the most prevalent threats for retailers and best practices on how Top 10 Retailers are mitigating these threats.

Analysis of Top Online Retail Threats

Credential StuffingCredential stuffing is responsible for more than 99% of all retail account takeovers (ATOs). In one attack on a top 50 retailer, Shape identified over 13.8 million automated posts against a login endpoint, using 80,000 unique IP’s, sustained for 10 days. Prior to blocking, this retailer identified 328,000 account takeovers.

Gift Card CrackingFor some retailers Shape has observed that over 98.5% of their traffic to gift card endpoints is automated. Gift card cracking is popular because it’s relatively easy to monetize and often done anonymously. Criminals impersonate real users and steal valid gift card numbers by exploiting the retailers’ own applications for purchases, transfers and checking gift card balances.

Fake Account CreationFake account creation is often used for future fraud including promotions, points, fake reviews and surveys. In one client example, 16k fake accounts were attempted to be created in just a week. Stopping attacks requires the fast identification of automated attackers and manual fraudsters without adding any friction for actual customers.

ScalpingScalping bots obtain limited availability items, often resulting in items being sold out in minutes. A common scenario is bots buying up high demand concert tickets, congesting the main user flow for everyone else, resulting in a bad user experience and brand reputation damage for a retailer’s most loyal customers.

One client experienced a staggering 99.84% of scalping traffic as part of its total traffic leading up to the November Black Friday period. The scalping traffic was instantly blocked once it started routing through Shape. Again, fast implementation is key—especially during peak online shopping periods.

How are Top 10 Retailers Preventing Attacks

Here are some of the best practices we observed from the top ten retailers who have successfully protected their businesses from the most damaging threats:

Attacks are escalating in size and scope. By December 2017, some 10 million credentials were spilling onto the web each day. Criminals, working in concert across time-zones and national boundaries, use those credentials to overwhelm even the savviest retailers. Big investments in security, by themselves, haven’t foiled these attacks.

The stark reality for every e-commerce retailer today is that online fraud is the biggest threat to your business.

So what is a retailer to do?

Shape’s answer might surprise you: We believe that retailers should run in packs. Just as criminals share information and ingenuity across networks, so too retailers must band together to defeat them—both by understanding the threat and by developing cross-company defenses.

There is Safety in Numbers

Already, many retailers have joined industry groups like the Retail Cyber Intelligence Sharing Center and the Merchant Risk Council, where they trade tips about criminal activity and how to respond. Some retailers are also deploying collective defense capabilities. A network like Shape’s Blackfish uses real-time attack data from many of the world’s largest consumer sites. Then Blackfish can alert companies in the network to known threats, so they can block them—before an attack even takes place.

Collective defense capabilities help retailers defeat many of the most dangerous online attacks.

Top Three Online Attacks Against Retailers

1) Credential Stuffing

Easy, effective and powerful, credential stuffing is a tool of choice for cybercriminals—and is the fastest-growing security issue facing retailers today.

How it works: Criminals grab readily available usernames and passwords and use them to attack retail websites. On a typical retail website, credential stuffing makes up 50-70% of total traffic. In some cases, that number exceeds 95%. Once they get in, criminals can make purchases using credit cards linked to the account or drain gift cards.

Credential stuffing is difficult to eliminate because criminals adapt to defensive measures quickly, often within 12 to 24 hours. They’re able to invest in rapid response because the profit margins are high. Defeating credential stuffing is very difficult for a single retailer in isolation—but is manageable as part of a network of allied retailers.

2) Creating Fake Accounts

With a fake account, a criminal can exploit stolen credit cards, defraud other users, reap new-customer perks, and much else. Creating fake accounts at scale requires either automation (i.e. programs that impersonate real users) or mechanical Turks (low-wage workers). Either way, the traffic flows through the same channels as legitimate new customer accounts.

The last thing a retailer wants to do is to muck up that channel—or introduce any sort of friction for new customers. That’s why a solution that protects against automated and manual fraud is critical. It can eliminate fake accounts without affecting real users at all.

3) Cracking Gift Cards

Gift card cracking occurs when criminals correctly guess a valid gift card number which has a non-zero balance. At that point, the criminals either transfer the balance to a card they control, or sell the card on a site like Raise.com or eBay.

How does the criminal guess a valid number? He gets a little help from the retailers. Every retailer operates a website or mobile app that allows customers to make purchases or check gift card balances. Criminals exploit these portals. They use programs that impersonate real users and try every possible gift card number. Soon enough, the criminal will have a trove of valid gift card numbers primed for crime.

Customer-selected PINs and other authorization steps have proven flimsy defenses—and so, retailers often face a difficult choice. Many preventative measures create more friction for their customers. But with a real-time adaptive application defense system, retailers can actually block attacks without customers even realizing it.

Additional Reading

Here are some additional resources to help you stay ahead of the threats:

R-CISC is a community for cybersecurity practitioners in the retail industry

MRC is an industry association for e-commerce payment and risk professionals

To learn more about these threats, explore new attack techniques from the holiday season and best practices we observed from Top 10 Retailers, watch our Retail Threat Intelligence Briefing webinar on-demand.

Today we’re releasing Blackfish, a system that proactively protects companies from credential stuffing before an attack takes place. Normally, credential stuffing starts with a data breach at one major company (“Initial Victim”), and continues when a criminal then uses the stolen data (usernames and passwords) against dozens or even hundreds of different companies (“Downstream Victims”). Usually, many months or years pass before the Initial Victim realizes and discloses the initial data breach, and in that time, criminals are able to successfully attack huge numbers of Downstream Victims. Later, once the Initial Victim does disclose the breach, the Downstream Victims start matching the username/password pairs from the Initial Victim against their own user databases, and resetting any passwords that match. The whole process can take years and results in hundreds of millions of dollars worth of fraud and brand damage.

Blackfish changes all that. From the very first moment a criminal attempts to use stolen usernames and passwords, Blackfish begins monitoring and protecting matching accounts at other companies. So, while under normal circumstances a criminal can get hundreds of chances to monetize the stolen usernames and passwords, with Blackfish in place, criminals get far fewer chances.

You may be wondering how Blackfish can accomplish all this. Explaining that requires a little background on Shape Security.

We founded Shape six years ago to answer a simple question: is a visitor to a web or mobile app an actual human being? This simple question proved to be an important one. As we perfected our ability to answer it, we started eliminating enormous amounts of fraudulent traffic from the largest web and mobile apps in the world — often 90% or more of the login traffic from a Fortune 100 web application.

Today, we are the primary line of defense for many of the largest organizations around the world. Our customers include: three of the top four banks, three of the top five airlines, two of the top three hotel chains, and numerous other leading companies and government agencies.

We secure all of those large organizations in a centralized way, directly delivering the security outcome of eliminating fraudulent traffic. That centralized security capability is also the heart of Blackfish, and allows Blackfish to see stolen usernames and passwords in use far before anyone else ever knows about them (including the Initial Victim).

Think about it: if you were a criminal and managed to steal all the usernames and passwords from a major corporation, where would you try them out? If you’re like most criminals, the answer is that you’d try them on the largest banks, airlines, hotels, and retail sites in the world. That’s what happens in practice, and when it does, that’s also when Blackfish sees the very first such attack, and sets about protecting all username/password pairs that happen to match on other large websites.

Blackfish does all this before the original data breach is reported or even detected by the Initial Victim company.

The problem with looking for credentials on the dark web

You can scour the dark web to find user credentials, but one of the greatest dangers companies face today is the long window of time between when breaches occur on third-party websites like Yahoo, and when those breaches are discovered and announced. Instead of hoping that stolen passwords will appear in the dark web in time to be useful, Blackfish autonomously detects credential stuffing attacks on the largest, most targeted websites in the world, identifies newly stolen credentials, and nullifies them globally. That stolen data becomes useless to cybercriminals.

How does it work?

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Blackfish’s knowledge base of compromised credentials is built with maximum security in mind. To ensure that its knowledge base is secured, Blackfish does not store any credential information but instead leverages Bloom filters to create probabilistic data structures to perform its operations. As a result, the compromised credentials themselves are not stored anywhere and Blackfish can use the information about compromises to improve security while maintaining full data privacy.

What good is a stolen password if you can never use it?

For better or for worse, memorized secrets (a.k.a. “passwords”) are the most widely used authentication mechanism online. As such, having access to millions of stolen passwords (over 3.3 billion were reported stolen in 2016 alone) allows cybercriminals to easily take over users’ accounts on any major website. They do this with credential stuffing attacks, which take stolen passwords from website A and try them on website B to see which accounts the same email addresses and passwords will unlock. Cybercriminals can do this reliably with a typical 1-2% success rate, allowing them to seize the value in bank accounts, gift card accounts, airline loyalty programs, and other accounts, which they can then monetize for a predictable ROI.

Since credential stuffing attacks are responsible for more than 99.9% of account takeover attempts, if we identify the stolen credentials that are used in these attacks, and invalidate them across other websites, we change the economics for cybercriminals significantly. If their 1-2% success rate now drops by two orders of magnitude or more, their “business” no longer functions. At that point, the cybercriminal has no choice but to try to obtain new stolen passwords. If those new passwords are similarly detected and invalidated, it will become clear to the criminals that the economics of their scheme have been broken. We think that over time, Blackfish will end credential stuffing for everyone.

We are all very excited at Shape to announce this system and our vision to make credential stuffing attacks a thing of the past. You can learn more on our website and contact us when your company is ready to try Blackfish.

Like this:

One thing the world can consistently agree on is that CAPTCHAs are annoying. The puzzle always appears in the most inconvenient of places. Online gift card purchases. Creating an account on an ecommerce webpage. Typing in those hard to memorize credentials one too many times.

But the ultimate frustration about CAPTCHA is that it serves absolutely no purpose. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), was originally designed to prevent bots, malware, and artificial intelligence (AI) from interacting with a web page. In the 90s, this meant preventing spam bots. These days, organizations use CAPTCHA in an attempt to prevent more sinister automated attacks like credential stuffing.

Almost as soon as CAPTCHA was introduced, however, cybercriminals developed effective methods to bypass it. The good guys responded with “hardened” CAPTCHAs but the result remains the same: the test that attempts to stop automation is circumvented with automation.

There are multiple ways CAPTCHA can be defeated. A common method is to use a CAPTCHA solving service, which utilizes low-cost human labor in developing countries to solve CAPTCHA images. Cybercriminals subscribe to a service for CAPTCHA solutions, which streamline into their automation tools via APIs, populating the answers on the target website. These shady enterprises are so ubiquitous that many can be found with a quick Google search, including:

DeathbyCAPTCHA

2Captcha

Kolotibablo

ProTypers

Antigate

This article will use 2Captcha to demonstrate how attackers integrate the solution to orchestrate credential stuffing attacks.

2Captcha

Upon accessing the site 2Captcha.com, the viewer is greeted with the image below, asking whether the visitor wants to 1) work for 2Captcha or 2) purchase 2Captcha as a service.

Option 1 – Work for 2Captcha

To work for 2Captcha, simply register for an account, providing an email address and PayPal account for payment deposits. During a test, an account was validated within minutes.

New workers must take a one-time training course that teaches them how to quickly solve CAPTCHAs. It also provides tips such as when case does and doesn’t matter. After completing the training with sufficient accuracy, the worker can start earning money.

After selecting “Start Work,” the worker is taken to the workspace screen, which is depicted above. The worker is then provided a CAPTCHA and prompted to submit a solution. Once solved correctly, money is deposited into an electronic “purse,” and the worker can request payout whenever they choose. There is seemingly no end to the number of CAPTCHAs that appear in the workspace, indicating a steady demand for the service.

2Captcha workers are incentivized to submit correct solutions much like an Uber driver is incentivized to provide excellent service—customer ratings. 2Captcha customers rate the accuracy of the CAPTCHA solutions they received. If a 2Captcha worker’s rating falls below a certain threshold, she will be kicked off the platform. Conversely, workers with the highest ratings will be rewarded during times of low demand by receiving priority in CAPTCHA distribution.

Option 2 – 2Captcha as a service

To use 2Captcha as a service, a customer (i.e., an attacker) integrates the 2Captcha API into her attack to create a digital supply chain, automatically feeding CAPTCHA puzzles from the target site and receiving solutions to input into the target site.

2Captcha helpfully provides example scripts to generate API calls in different programming languages, including C#, JavaScript, PHP, Python, and more. The example code written in Python has been reproduced below:

Integrating 2CAPTCHA into an Automated Attack

How would an attacker use 2Captcha in a credential stuffing attack? The diagram below shows how the different entities interact in a CAPTCHA bypass process:

Technical Process:

Attacker requests the CAPTCHA iframe source and URL used to embed the CAPTCHA image from the target site and saves it locally

Attacker requests API token from 2Captcha website

Attacker sends the CAPTCHA to the 2Captcha service using HTTP POST and receives a Captcha ID, which is a numerical ID attributed with the CAPTCHA image that was submitted to 2Captcha. The ID is used in step 5 for an API GET request to 2Captcha to retrieve the solved CAPTCHA.

2Captcha assigns the CAPTCHA to a worker who then solves it and submits the solution to 2Captcha.

Attacker programs script to ping 2Captcha using CAPTCHA ID (every 5 seconds until solved). 2Captcha then sends the solved CAPTCHA. If the solution is still being solved, the attacker receives a post from 2Captcha indicating “CAPTCHA_NOT_READY” and the program tries again 5 seconds later.

Attacker sends a login request to the target site with the fields filled out (i.e. a set of credentials from a stolen list) along with the CAPTCHA solution.

Attacker iterates over this process with each CAPTCHA image.

Combined with web testing frameworks like Selenium or PhantomJS, an attacker can appear to interact with the target website in a human-like fashion, effectively bypassing many existing security measures to launch a credential stuffing attack.

Monetization & Criminal Ecosystem

With such an elegant solution in place, what does the financial ecosystem look like, and how do the parties each make money?

Monetization: CAPTCHA solver

Working as a CAPTCHA solver is far from lucrative. Based on the metrics provided on 2Captcha’s website, it’s possible to calculate the following payout:

Assuming it takes 6 seconds per CAPTCHA, a worker can submit 10 CAPTCHAs per minute or 600 CAPTCHAs per hour. In an 8 hour day that’s 4800 CAPTCHAs. Based on what was earned during our trial as an employee for 2Captcha (roughly $0.0004 per solution), this equates to $1.92 per day.

This is a waste of time for individuals in developed countries, but for those who live in locales where a few dollars per day can go relatively far, CAPTCHA solving services are an easy way to make money.

Monetization: Attacker

The attacker pays the third party, 2Captcha, for CAPTCHA solutions in bundles of 1000. Attackers bid on the solutions, paying anywhere between $1 and $5 per bundle.

Many attackers use CAPTCHA-solving services as a component of a larger credential stuffing attack, which justifies the expense. For example, suppose an attacker is launching an attack to test one million credentials from Pastebin on a target site. In this scenario, the attacker needs to bypass one CAPTCHA with each set of credentials, which would cost roughly $1000. Assuming a 1.5% successful credential reuse rate, the attacker can take over 15,000 accounts, which can all be monetized.

Monetization: 2Captcha

2Captcha receives payment from the Attacker on a per 1000 CAPTCHA basis. As mentioned above, customers (i.e. attackers) pay between $1 and $5 per 1000 CAPTCHAs. Services like 2Captcha then take a cut of the bid price and dole out the rest to their human workforce. Since CAPTCHA solving services are used as a solution at scale, the profits add up nicely. Even if 2Captcha only receives $1 per 1000 CAPTCHAs solved, they net a minimum of 60 cents per bundle. The owners of these sites are often in developing countries themselves, so the seemingly low revenue is substantial.

What about Google’s Invisible reCAPTCHA?

In March of this year, Google released an upgraded version of its reCAPTCHA called “Invisible reCAPTCHA.” Unlike “no CAPTCHA reCAPTCHA,” which required all users to click the infamous “I’m not a Robot” button, Invisible reCAPTCHA allows known human users to pass through while only serving a reCAPTCHA image challenge to suspicious users.

You might think that this would stump attackers because they would not be able to see when they were being tested. Yet, just one day after Google introduced Invisible reCAPTCHA, 2CAPTCHA wrote a blog post on how to beat it.

The way Google knows a user is a human is if the user has previously visited the requested page, which Google determines by checking the browser’s cookies. If the same user started using a new device or recently cleared their cache, Google does not have that information and is forced to issue a reCAPTCHA challenge.

For an attacker to automate a credential stuffing attack using 2Captcha, he needs to guarantee a CAPTCHA challenge. Thus, one way to bypass Invisible reCAPTCHA is to add a line of code to the attack script that clears the browser with each request, guaranteeing a solvable reCAPTCHA challenge.

The slightly tricky thing about Invisible reCAPTCHA is that the CAPTCHA challenge is hidden, but there is a workaround. The CAPTCHA can be “found” by using the “inspect element” browser tool. So the attacker can send a POST to 2Captcha that includes a parameter detailing where the hidden CAPTCHA is located. Once the attacker receives the CAPTCHA solution from 2Captcha, Invisible reCAPTCHA can be defeated via automation in one of two ways:

JavaScript action that calls a function to supply the solved token with the page form submit

HTML code change directly in the webpage to substitute a snippet of normal CAPTCHA code with the solved token input.

The fact that Invisible reCAPTCHA can be bypassed isn’t because there was a fatal flaw in the design of the newer CAPTCHA. It’s that any reverse Turing test is inherently beatable when the pass conditions are known.

As long as there are CAPTCHAs, there will be services like 2Captcha because the economics play so well into the criminal’s hands. Taking advantage of low cost human labor minimizes the cost of doing business and allows cybercriminals to reap profits that can tick upwards of millions of dollars at scale. And there will always be regions of the world with cheap labor costs, so the constant demand ensures constant supply on 2Captcha’s side.

The world doesn’t need to develop a better CAPTCHA, since this entire approach has fundamental limitations. Instead, we should acknowledge those limitations and implement defenses where the pass conditions are unknown or are at least difficult for attackers to ascertain.